Re: Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?

[Denis Ovsienko <denis () ovsienko info>]

> I don't really want to put *all* my eggs on github. 

I agree that GitHub is a business and businesses are not always in a good shape and are not forever in the best case. 
Specifically, many projects have had a lesson from SourceForge "developments" in the recent few years.

Besides that, where a project is hosted does not matter as much as if it has working backups (in this scope git 
provides a very convenient means to backup its own repositories). Hosting hardware and software just fail from time to 
time, whether the infrastructure is your own or sponsored by somebody else.

So the problem is to let GitHub do its good things to tcpdump yet to protect from the bad ones. To me it seems that for 
the next few years the best balance between survivability and convenience would be in continuing to use both GitHub and 
bpf.tcpdump.org, but with one important change. The changes should normally be committed to GitHub instance only, as 
that's currently the environment that is most convenient for contributors of varying levels of experience. Then 
bpf.tcpdump.org would not experience auto-merging difficulties any more and with the two repositories being 100% 
identical the read-only choice between the two will become again purely theoretical and a matter of taste. A weekly 
backup of bpf.tcpdump.org on top of that will bring a complete peace of mind.

Does that sound reasonable?

-- 
    Denis Ovsienko

_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers